TrustMAPP is being featured on a new podcast series titled “Business of Security Podcast Series“.

We are excited to share with you the release of the inaugural episode that includes unique TrustMAPP customer success use cases. There is an exciting line up for the first season over the next 12 weeks.

Below are links to the first episode of Business of Security in our inaugural season. We have some really exciting episodes in the lineup! The first season will run for approximately 12 weeks. We look forward to your feedback.

This podcast focuses on many non-technical aspects of cyber risk, cyber security and information security at the intersection of technology and managing to business expectations. Guests include CIO’s, CEO’s and CISO’s discussing the many facets of the information security industry, what matters, what needs to change and how to deal with modern day challenges in this dynamic industry.

Are you thinking about your 2018 cyber security roadmap? Before you begin let’s look at the year prior.

2017 was a busy year for cybersecurity professionals and the organizations they’re chartered to protect. In addition to several high-profile breaches, some new themes continued to emerge and develop as did – unfortunately – some old ones, making the design and implementation of an effective cybersecurity strategy even more difficult.

Attack surfaces increased significantly due largely to the rapid expansion of cloud infrastructure and cloud-based services and applications, data center virtualization and the addition of millions of connected devices, forcing companies to extend their security posture externally in an attempt to protect an ever-dissolving perimeter. Companies use hundreds of applications that span internal networks, cloud services and remote devices, making security incredibly dynamic and complex.

2017 also saw a huge increase in the commoditization of ransomware. Ransomware-as-a-service and malware-as-a-service can now be purchased on the dark web in addition to a service known as fully undetected that allows cybercriminals to upload code and malware to an analysis service for a fee. Upon completion of the analysis service, uploaders receive a report detailing whether commercial security technologies can detect it, allowing for refinement of the malware to better defeat security tools employed by a targeted organization.

Not all trends were new. Security ‘housekeeping’ suffered significantly in 2017. Inefficient/ineffective patching and failure to sunset potentially vulnerable legacy apps and processes contributed to the vast number of exploits that targeted known vulnerabilities. WannaCry targeted vulnerabilities for which the respective vendors had already released a patch. On its heels, Petya targeted the same fixable vulnerability.

Bottom-line? Cybersecurity is a tough gig – at every level. Some days it seems like pushing sand up a sand dune. There are, however, some things that can make a difference in terms of creating and enhancing an effective cybersecurity strategy despite the dynamic landscape. I recently read an article about cybersecurity in 2018 that quotes, among others, Lenny Zeltser, Vice President of Products at Minerva in which he talks about some of the cybersecurity strategy ‘difference makers’. While I could provide my take, I think Lenny does it extremely well. He suggests the following:

Evaluate the gaps that exist in the current security controls and processes.

Determine if there is any additional protection to be gained through configuration of existing security tools or implementing controls and features that aren’t currently being used in the products you already have.

He sums up with, “Organizations should understand the gaps in their security mechanisms and address them by getting the most out of their existing products and augmenting them with mechanisms that compensate for the remaining gaps.”

Our team here at TrustMAPP agree the three points highlighted by Mr. Zeltser are key to having a successful security strategy. This is why we’ve done our part in automating cyber security program strategy activities, improvement tracking and reporting. With TrustMAPP teams address the three points above and gain clarity of investment and effectiveness of existing countermeasures.

As we rapidly approach the end of the calendar year, many cybersecurity departments are working on budget requests for next year. Yet, these same cybersecurity teams are also likely to be busy wrapping up their projects before year end. It is against this backdrop that we wanted to share with you the story of a customer who recently approached our team with this very challenge: To create a security program budget and twelve-month roadmap. The catch? Do it in seven business days or less.

In the following paragraphs, we describe what the customer provided at the start, how we mapped relevant information towards their particular framework of choice, and how we leveraged our TrustMAPP tool to generate a prioritized budget, containing both budget figures and also the resources needed to bring the next year’s proposed security projects to fruition.

Starting with a Baseline

The customer wanted to use a previous risk assessment as a high-level program baseline with identified gaps. However, the assessment was a general IT controls assessment and security was only a small section in the report. To further complicate matters, the assessment results and data were, of course in PDF format, which would have required significant manual effort to leverage the results to create a plan and roadmap.

The risk assessment report did, however, list areas for improvement that guided initial scores for the baseline. We agreed that the overall goal was to find a way to use the assessment data as part of a meaningful budget and roadmap that aligned with the customers’ business objectives for the coming year.

Mapping Findings From Prior Report

The TrustMAPP team quickly reviewed the report and began to map findings from the assessment to the NIST Cyber Security Framework (NIST CSF). The NIST CSF framework was not only the customer’s preferred control framework, but also the mechanism by which the various security activities would be reported on and managed to in the future.

Once we had the data from the previous assessment mapped to the NIST CSF, we were able to populate the same data fields in the NIST CSF process template in the TrustMAPP tool. Once in TrustMAPP, we could very quickly generate estimates for improvements based on a third-party validated assessment.

Time to complete this task: 2 hours to map assessment data from the PDF report and enter those values into the NIST CSF template in TrustMAPP.

Gaining Insights and Building a Plan

At this stage, using the pre-built analytics in TrustMAPP, our team could readily produce a prioritized roadmap based on the business objectives established – ahead of time – for the security program (in this case, GDPR Readiness, FIPS compliance, and HIPAA). The analytics produced a prioritized list of estimated resource requirements (both internal and external) along with estimating capital expenditures (hardware, software, training) required to meet the objectives in the coming fiscal year.

Time to complete this task: 2 hours to complete the planning and roadmap development.

Develop Customer Presentation

Using the output from TrustMAPP’s pre-built analytics and intelligence the team was able to quickly generate estimated budget requirements. The customer received a graphical high-level security program roadmap to communicate these initiatives, associated budget and timelines.

Time to complete this task: 2 hours to generate a prioritized roadmap of security activities, complete with the required levels of effort and investment.

A Budget Proposal in Six Hours?

All told, the entire process was completed in about six hours. Compare the scenario we just shared to the time consumed and frustration generated by manually-produced budgets, which we estimate to be about 120 hours based on our own experience and feedback from existing customers.

TrustMAPP can not only help you produce next year’s budget figures and justification, it can also help track and report your progress, your maturity, as you work to implement your plan. With TrustMAPP, you not only save time, but also elevate your discussions about cybersecurity.

Here at Secure Digital Solutions (SDS), we get the opportunity to work with many types of customers and many types of security vendors. Each customer has a different understanding of the value of cybersecurity maturity and each vendor uses the term security maturity to demonstrate different functionality of their solution. The challenge is that there are as many definitions of maturity as there are customers and vendors. For many customers, the term maturity represents compliance and for many vendors it represents their solution’s coverage of the enterprise. It’s no wonder this critical security performance metric is so widely misunderstood and in many cases, misrepresented. Therefore, I will define what cybersecurity maturity is to us at SDS, why it’s so important for managing a security organization’s performance, and how we utilize it to help security leaders profile, plan and manage their security organizations.

Simply put, cybersecurity maturity is a means to better understand the capability and capacity of a security organization to perform at a certain and/or defined level over time that drives down risk to the business and increases fiscal responsibility of the security program.. It allows for a true picture, based on data, of how well the functions within your security portfolio are performing today, where they need to be to support yours and the company’s strategic objectives and what it will take to get – and keep – those functions there. It eliminates confusion, subjectivity, inefficiency and lack of understanding around alignment of people, process and technology. It also provides clear enterprise metrics – derived from operational data – with which you can demonstrate and communicate the capabilities of the security organization to business leadership and the Board of Directors. Finally, it not only compliments your current level of compliance and risk mitigation but shows your capacity to maintain the required levels of compliance and risk mitigation.

Our TrustMAPP Platform is giving customers that visibility regardless of where they might be in their cybersecurity journey and we’ve discovered that journey begins at one of three stages.

Stage 1: Learning. The security organization is overwhelmed with multiple data sources and needs a way to assess it, aggregate it and determine what it has and what it’s capable of. They use TrustMAPP to discover what cybersecurity maturity is and how it can help.

Stage 2: Implementing. The security organization understands that cybersecurity maturity is meaningful and can provide value but doesn’t know how to utilize it within their environment. They use TrustMAPP to incorporate cybersecurity maturity as a key performance indicator into their environment.

Stage 3: Optimizing. The security organization utilizes cybersecurity maturity as a KPI, but assessment, analysis and reporting are expensive, time-consuming manual efforts. They use TrustMAPP to automate and manage these efforts quickly and efficiently.

So, when is the best time to start using cybersecurity maturity? There are some telltale signs to help make the decision. Is there a need or request for additional security KPI’s? How is your risk mitigation capability changing over time? Does the board need more than operational metrics? Does the security roadmap need to be communicated more effectively? Is the security resource strategy and technology plan aligned with business objectives and the threat landscape? How do you know you are getting the full value from your current investments?

Cybersecurity maturity can provide answers to these questions and more. TrustMAPP can provide the way to get there

Frameworks are important. They lay the foundation for what will eventually be built. Whether building a structure, a vehicle, a medical device or a security program, the need to begin construction using an established set of requirements is critical. It allows for standardization of approach, measurement of quality and improvement over time.

Within the information security space, there are several established frameworks available. Some, such as ISO 27001, have been around for several years. Others are relatively new. The NIST Cybersecurity Framework (CSF) is a good example of a recently released framework that is steadily growing in popularity among security leaders. All provide an excellent starting point when building or improving an information security program and allow for a leader to choose a framework (or frameworks) best suited to accomplish organizational security objectives.

Interestingly, there also exists an industry notion of ‘compliance’ with these frameworks. This is a misnomer. Compliance obligations are typically established by governing entities and have associated penalties if evidence of compliance cannot be demonstrated.

Frameworks, by comparison, are a collection of best practices designed to provide the building blocks upon which to create or improve information security functions. There are no ‘official’ penalties if you choose not to implement a framework, but there are tremendous advantages gained by putting a framework in place.

The security program can be categorized into enterprise level functions. Each function can be assigned a responsible owner and strategic objectives can be established, built, monitored and communicated. Performance of the key functions of the program can be assessed against enterprise risk and compliance obligations. People, process and technology can be aligned in a strategic fashion versus attempting to address multiple risks or compliance obligations individually in a more tactical manner.

TrustMAPP empowers IT and Security Leaders to quickly build a prioritized, strategic roadmap. Its ease of use and incredible flexibility provides leaders a platform to measure and manage the foundational building blocks of their programs. Leaders in multiple industries are using TrustMAPP to assess and measure the capability of their organizations to mitigate enterprise risk and achieve and maintain alignment with their compliance requirements. With powerful built-in analytics and clear, concise reporting capabilities, leaders can communicate the capacity and status of their programs to executive leadership and to the Board of Directors, without the need for spreadsheets and hundreds of human hours of effort. To begin building a NIST CSF roadmap, download our white paper entitled “Roadmap to Success”.

The last few months have been busy at our firm, Secure Digital Solutions. The exposure to, and interest in, our TrustMAPP platform is increasing rapidly. Interestingly enough, much of this interest is coming from across the proverbial pond so we began to look at cybersecurity maturity comparison between the U.S and EU. European organizations are looking to leverage the power of cybersecurity maturity as a primary method to measure and manage the performance of cybersecurity programs. Working closely with both US and EU companies has given us a great vantage point from which to see the similarities and differences between cybersecurity philosophies and practices – specifically around the value of cybersecurity maturity as a strategic performance metric. As a result, I decided to take a step back, look into how our industry and view the comparison between the two regions and overlay some of our direct observations.

There’s a plethora of research, analysis and observation out there and a few pieces stood out to me, but for the most part, there doesn’t seem to be a general consensus on which region demonstrates a higher level of cybersecurity maturity. There does, however, appear to be a consensus on the differences in cybersecurity philosophy upon which cybersecurity programs are built. In a nutshell, the accepted view appears to be that the US is more proficient at security operations while the EU places more focus on frameworks, standardization and processes. In addition, the EU is typically governed by more stringent reporting requirements. While we have observed similar trends in this regard between companies in the two respective regions, we’ve also observed a clear distinction between the two regarding the value and use of cybersecurity maturity. The EU clearly places a higher emphasis on this KPI.

Frameworks such as NIST, ISO and the EU Privacy Regulations form the strategic basis by which security functions and processes are built. Resources and technology are implemented to support and enhance strategic risk mitigation objectives. Conversely, US companies focus on security operations – most notably – incident response and detection, and address the threat landscape in a progressive, layered approach. EU organizations implement additional security based on increased risk. US companies implement additional security based on increased threat.

The result is that both approaches have strengths and weaknesses. Neither is all-encompassing. The optimum state of the security program would clearly be a quantified hybrid of the two methodologies, and working with organizations on both sides of the pond is giving us the insight and practical experience necessary to help our clients build world-class security programs. In addition, the ability to share practices between security teams in the US and EU is proving invaluable. It strengthens the industry, making all more resilient to cyber threat.

At the end of the day, who demonstrates a higher level of cyber maturity? It’s yet unclear. What is clear is that operational countermeasures must be aligned with, and support, strategic objectives. Conversely, strategic objectives must map to people, process and technology that’s actionable. Both must have KPIs that reflect the true state of the security program and are palatable to the board of directors.

TrustMAPP is providing security leaders with the KPI’s to be successful in adition aleviating any questions around budget and resource requests.

Secure Digital Solutions releases TrustMAPP® version 2.2 to align risk with process maturity. For the first time security and business leaders can gain a comparative view of security maturity associated with identified risks.

NEW FEATURES

Risk Register, Management and Program Management Overlay Options

TrustMAPP® now integrates risk, best practice frameworks, and maturity to prioritize security investment for business leaders.

New analytics provide a program maturity view through the lens of risk, enabling the ability to prioritize based on risk correlation and process maturity.

Created a view of risk detail analytics using both maturity and risk rating/status filters.

We all deal with, on some level, audits. For highly regulated industries audits are a fact of life. The typical audit lifecycle is similar across virtually all industries. An audit is conducted, executives are briefed on findings and teams are assigned items to remediate before the next audit begins. As a result, oftentimes security performance metrics are presented in terms of audit or compliance status – a binary measure. For most, this serves as an appropriate KPI for cybersecurity and compliance performance.

However, according to the NACD, there are five key cybersecurity principles boards need to be concerned with. While an important function, audit is not specifically listed. Instead, the term cyber risk has been introduced as a key board-level initiative. This is significant because it forces security executives to reconsider the practice of demonstrating security posture primarily in audit and compliance terms and focus on a system of analysis that addresses enterprise risk. Traditional audit activities instead would then be viewed more as a transactional function of business and automated to the extent possible through trusted vendor relationships and tools to reduce repeated costs.

Audits are essential to ensure controls are established and effective in meeting regulatory compliance requirements. However, these activities are a point-in-time snapshot. They are not effective at measuring continuous performance, which is key when determining breach likelihood and current level of cyber risk – a metric that the NACD places significant focus on. An effective illustration of the difference would be the comparison between a digital and analog wavelength. Traditional audit and compliance reporting provides a digital – or stepped, square and unique – pattern while analog provides a more smooth, continuous output.

More and more security executives require both compliance and continuous views to form a true measure of the effectiveness of the security program. They need a compliance view at the control level as well as a continuous enterprise view for the executive suite. With TrustMAPP, organizations can measure their performance continuously, providing the capability to manage and maintain sustained compliance over time.

Recently I started on a lengthy, long desired journey. My son and I have been looking for an automotive restoration project for a while and as it turns out, we finally found a ‘perfect’ candidate. Weeks of research and dozens of inspections later, we finally netted a gem – a 1989 Ford Bronco Eddie Bauer Edition equipped with a highly sought-after 351 Windsor engine. The body is in decent shape and it has under 100k miles, but like all older vehicles, it will take work to get it into fighting shape. We knew going in that this would be a mutual ‘sweat equity’ endeavor and since both of us work long hours and rarely see one another, it would be a wonderful opportunity for father-son time (something I took for granted when I was his age). Ultimately it will be his vehicle and we were both looking forward to embarking on this project. As we drove in into the garage and turned off the ignition with a sense of mutual triumph, we wondered where the heck to we begin?

I knew that we needed an authoritative source before we started the real resto work, so I ordered the Chilton Manual for our specific vehicle. We now had a standard to go by. The next milestone would be a comprehensive review by an experienced mechanic. Both of us have solid knowledge in this area but in no way does it compare to an expert. Better to know what we need to do, and in what recommended order, before we potentially make things worse by flying blind. The Bronco goes in this weekend to be fully assessed. In the meantime, we’ve started building a detailed spreadsheet outlining the usual suspects: cost, parts, manufacturers, vendor websites, etc., in preparation for what we want to do.

Now begins the assessment of our current capabilities. What tools will we need and what do we currently have? We’ll need to address certain fixes right away that will likely be revealed in our mechanic’s check-up, but we’ve also got a wish-list of what we want to do. For example, this motor came standard with electronic fuel injection but we’re contemplating swapping that for a carbureted setup. We know we want aftermarket exhaust as well and all that goes into the spreadsheet with options, cost, etc. We’ve started discussing what days and times we’ll be able to work on this each week but everyone knows that work schedules are simply guidelines and rarely stay static. Our assumptions? Into the spreadsheet. He’ll need a daily driver on the days that we’ve got critical components out of the engine so there’s another scheduling task. Our spreadsheet is growing as well as the ‘master’ schedule but between the two of us we should be able to keep everything on track.

I’ve started searching for some application that may exist to put all of this into a single source, but so far I’ve come up empty. We’ll keep at it and continue to learn, plan, and execute along this exciting journey. We’re under no illusions that this will be an easy road, but the satisfaction of the final product will be fantastic. Fortunately, in my security world, there is a single source with which I can manage multiple complex initiatives. That single source is TrustMAPP.

Like most in the security industry, I read extensively – both technical and non-technical information. It’s virtually impossible to keep up with everything, but it comes with the territory. Add to that the plethora of security-related data you receive from your enterprise tools and technologies, and it makes for a soul-crushing wave of data that must be processed, evaluated and potentially put into practice. How do we keep track of it all? And more importantly, how do we decide if it’s relevant to our mission?

Ideally, it would be fantastic to be able to instantly react and respond to everything out there, but it’s just not possible. Certain events and threats must be addressed immediately, however the majority must be analyzed and that takes time. While pinging my security teams for status every time I saw, heard or read something might give me some added measure of assurance, it wouldn’t make their lives very pleasant and we all know there’s a talent shortage out there. So rather than focusing on individual controls and countermeasures (unless the situation specifically warrants it), I find that it’s more effective to look at my security capabilities using critical process measurement and management and then assess the influx of information against that barometer.

Phishing, for example, represents a significant threat to the enterprise. This is well known, and the techniques used by bad actors continue to be refined. Analyzing every email that potentially makes it through the secure email gateway is a job for security pros, but isn’t a responsibility I pay forward to my business users. Analysis and adjustment happens first at the process level. What part of the process allowed this to happen? Was it technical? Procedural? Once it’s addressed, how will that change the process – a component of which, for example, is training and awareness. My users (for the most part) know to look at headers and naming conventions and use ‘if in doubt, throw it out’ as a rule of thumb. But if this is something new, I’ve got to incorporate that into every component of the process – from filtering to end-user training. Once that’s successfully completed, I’m able to measure the increased effectiveness of that process – showing upward (or downward) trending over time.

Obviously, it’s not that simple but it gives me a basis from which to measure and manage the capabilities of my security organization and that can be used both to run operations day-to-day and communicate to the C-Suite and Board. Our leaders don’t expect to be briefed on every individual threat and piece of information out there but they do expect me to ‘have things covered’ and be able to show evidence to back it up. I can’t do that unless I’m able to cope with the ever-present sensory overload.